Vulnerability scanning
Security vulnerabilities are a primary attack vector that can lead to data breaches and business disruptions. Security Center scans your assets for vulnerability types including Linux Software Vulnerability, Windows System Vulnerability, Application Vulnerability, and Web-CMS Vulnerability. Identify and fix risks before an attack occurs.
Vulnerability scanning mechanism
Security Center uses the following two methods for vulnerability detection:
Software composition analysis (SCA) — passive detection: The Security Center agent collects software version and dependency library information from your servers and compares it against a vulnerability database. This process analyzes only software metadata and has no impact on your business systems.
Web scanner — active validation: The web scanner sends proof-of-concept (POC) requests from the internet to your application services, simulating attack behavior to confirm whether a vulnerability exists. This method can detect high-risk vulnerabilities such as remote command execution and SQL injection. All requests are harmless probes and will not cause damage to your systems.
Assets in the Outside Chinese Mainland region hosted in the Singapore data center do not currently support the web scanner feature.
Supported editions and scan coverage
Subscription
Edition | Manual scan | Automatic (periodic) scan |
Enterprise,Ultimate | All | |
Advanced | All vulnerability types except Application Vulnerability. | |
Basic,Value-added Plan,Anti-virus | Urgent Vulnerability | Linux Software Vulnerability and Windows System Vulnerability |
Pay-as-you-go
Protection level | Manual scan | Automatic (periodic) scan |
Host Protection and Hosts and Container Protection | All | |
Unprotected and Antivirus | Urgent Vulnerability | Linux Software Vulnerability and Windows System Vulnerability |
To use the application vulnerability scanning feature, one of the following conditions must be met:
Pay-as-you-go: The asset must be bound with the "Host & Container Full Protection" authorization.
Subscription: The current edition must be Advanced or higher.
If your current edition does not support this feature, upgrade your service first.
Configure a network whitelist
To ensure that the web scanner can access your servers and perform active validation (POC), add the Security Center scanning IP range 47.110.180.32/27 (47.110.180.32 to 47.110.180.63) to the whitelists of your security groups and network firewalls.
If the Security Center scanning IP range is not added to your whitelist, the web scanner's POC requests may be blocked. This prevents detection of application and urgent vulnerabilities, or causes requests to be flagged as attacks.
POC validation requests may include the auxiliary domain
s0x.cn(used for application and urgent vulnerability detection). If this triggers an alert, ignore the alert or create a whitelist rule for the domain.
Configure a security group
If your server is an Alibaba Cloud ECS instance, see Configure a security group and add an inbound rule with the following parameters:
Parameter | Value |
Direction | Inbound |
Action | Allow |
Protocol Type | TCP |
Port Range | 1–65535 |
Source | 47.110.180.32/27 |
Configure a firewall whitelist
If your server uses Web Application Firewall (WAF), see Configure a WAF whitelist rule and add a whitelist rule with the following parameters:
Parameter | Value |
Match Field | IP |
Logic | Belongs to |
Match Content | 47.110.180.32/27 |
Detection Modules to Skip | All |
Run a vulnerability scan
Security Center provides two scanning methods:
Manual scan: Immediately assess the vulnerability status of your servers on demand.
Automatic (periodic) scan: Set up recurring scan tasks for continuous vulnerability monitoring.
After a scan starts, the system creates a scan task and runs it in the background. You can view scan progress and results in task management.
Manual scan
Log on to the Security Center console.
On the Vulnerabilities page, click Quick Scan (All Servers). In the Vulnerability Scan dialog box, select the vulnerability types to scan, and then click OK.
NoteTo scan specific servers instead of all servers, go to the Host page, select the target servers, click Security Check at the bottom of the page, and then select Vulnerabilities in the dialog box.
Running a manual one-click scan does not affect the existing automatic scan schedule. Manual and automatic scans are independent of each other. Automatic scans, such as system vulnerability scans that run daily or every two days, continue to run on their scheduled cycles.
Automatic (periodic) scan
Automatic scanning uses two scheduling approaches depending on the vulnerability type:
Default cycle (not configurable):
Applies to Linux Software Vulnerability and Windows System Vulnerability.
Default scan frequency:
Subscription:
Advanced, Enterprise, Ultimate — once per day;
Basic, Value-added Plan, Anti-virus — once every two days.
Pay-as-you-go:
Host Protection, Hosts and Container Protection — once per day;
Unprotected, Antivirus — once every two days.
User-defined cycle:
Applies to Application Vulnerability and Urgent Vulnerability.
Available for Subscription (Advanced,Enterprise,Ultimate) and Pay-as-you-go (Host Protection,Hosts and Container Protection).
To configure automatic scanning:
Log on to the Security Center console.
In the Vulnerabilities page, click Vulnerability Settings. Configure the following settings as needed:
Parameter
Description
Vulnerability scan switch
Enables or disables scanning for various vulnerability types (Linux Software Vulnerability, Windows System Vulnerability, Web-CMS Vulnerability, Application Vulnerability, and Urgent Vulnerability). After you enable a scan, you can click Manage to specify the servers to which the scan applies.
YUM/APT Source Configuration
When enabled, Alibaba Cloud official YUM/APT sources take priority for fixing Linux vulnerabilities, which significantly improves the remediation success rate.
Urgent Vulnerability Scan Cycle
Sets the execution frequency for urgent vulnerability scan tasks.
Default scan window:
Chinese Mainland:
00:00:00 (UTC+8)to07:00:00 (UTC+8).Outside Chinese Mainland:
00:00:00 (UTC+7)to07:00:00 (UTC+7).
Available editions/protection levels:
Subscription: Advanced, Enterprise, and Ultimate.
Pay-as-you-go: Host Protection and Hosts and Container Protection.
Application Vulnerability Scan Cycle
Sets the execution frequency for application vulnerability scan tasks.
Default scan window:
Chinese Mainland:
00:00:00 (UTC+8)to07:00:00 (UTC+8).Outside Chinese Mainland: A staggered scheduling mechanism runs scans at different times within a 24-hour period.
Available editions/protection levels:
Subscription: Enterprise and Ultimate.
Pay-as-you-go: Host Protection and Hosts and Container Protection.
System Vulnerabilities Scanned At
Sets a specific time for Linux Software Vulnerability and Windows System Vulnerability scan tasks to run.
Retain Invalid Vulnerabilities For
Sets the data cleanup period for stale vulnerabilities.
The system considers vulnerabilities that are not re-detected or handled for an extended period to be stale. Stale vulnerabilities are automatically archived to the "Handled" list. After the period you configured in Retain Invalid Vulnerabilities For expires, the system permanently deletes them to reduce clutter.
NoteIf Security Center detects the same type of vulnerability again in the future, a new alert is generated.
Vulnerability Scan Level
Sets the risk levels of vulnerabilities to scan for. The system scans for and reports only the vulnerabilities that match the selected levels.
Vulnerability Whitelist Settings
Add vulnerabilities that you decide not to fix (for example, due to business requirements or acceptable risk) to a whitelist. These vulnerabilities are then ignored in future scans.
NoteAfter you add a vulnerability whitelist rule, you can manage it (edit or delete) on the Vulnerability Whitelist Settings tab in the Vulnerability Settings panel.
View scan tasks
On the Vulnerabilities page, click Task Management in the upper-right corner.
Click Details in the Actions column for a task to view its impact data, including Affected Servers, Successful Servers, and Failed Servers.
For successfully scanned servers, the Status column shows the scope of detected vulnerabilities. For failed scans, the Status column shows the failure reason.
Troubleshoot stalled scan progress
If a scan task remains at 0% progress or stays in the "Scanning" status for an extended period, follow these steps:
Check agent status: Verify that the Security Center agent on the target server is online. If the agent status is abnormal, try refreshing the page or restarting the agent service on the server.
Locate failed servers: Click Task Management in the upper-right corner of the vulnerability management page to view task details and identify servers where scanning failed.
Run emergency scan for failed servers: Click Vulnerability Settings in the upper-right corner, find the Urgent Vulnerability Scan Cycle option, select only the failed servers, and run a one-click scan to complete the remaining vulnerability detection.
Report shows 0 vulnerabilities: If the scan completes but the report shows 0 vulnerabilities, manually run a vulnerability scan and virus scan first, then view or export the report again after scanning completes.
View and handle vulnerabilities
On the Vulnerabilities page, go to the tab for the target vulnerability type, enter the vulnerability details page, and follow the instructions to fix it. For remediation steps, see Manage vulnerabilities.
Application Vulnerability and Urgent Vulnerability do not support one-click remediation from the console. You must log on to the server and fix them manually based on the remediation suggestions in the vulnerability details.
Service model | Service edition / Protection level | Description |
Subscription | Enterprise and Ultimate | Supports remediation for Linux Software Vulnerability, and Windows System Vulnerability. |
Advanced | Supports remediation for Linux Software Vulnerability and Windows System Vulnerability. | |
Basic, Value-added Plan, and Anti-virus | Important You must purchase the Vulnerability Fix value-added service to use one-click remediation. For purchase instructions, see Purchase guide. Supports remediation for Linux Software Vulnerability and Windows System Vulnerability. | |
Pay-as-you-go | All protection levels |
Troubleshoot Linux vulnerabilities not displayed
If Linux-related vulnerabilities (such as specific CVE kernel privilege escalation vulnerabilities) are not displayed in the console, follow these steps:
Check filter settings: On the vulnerability management page, check whether any filter switches or view settings are enabled (such as filtering by specific risk levels). Disable relevant filters or adjust view settings to ensure Linux vulnerabilities are displayed.
Re-run the scan: If vulnerabilities are still not displayed after adjusting filters, click Quick Scan to re-run the vulnerability scan. Also, log on to the server and run the following command to confirm the system kernel version:
uname -rAssess CVE vulnerability impact: For specific CVE vulnerabilities (such as CVE-2026-31431), check whether the kernel version falls within the affected range (such as kernel versions between 4.14 and 7.0). If confirmed as affected, refer to the official security advisory for temporary mitigations and upgrade after the official patch is released.
Windows high-risk vulnerability fix notes
When fixing high-risk Windows vulnerabilities (such as CVE-2026-26170 and other vulnerabilities involving OS-level components), note the following:
Back up before fixing: Create an ECS instance snapshot before applying the fix so you can quickly roll back if issues occur.
Fix during off-peak hours: Such fixes may require a server restart. Perform the fix during off-peak business hours to minimize impact.
Restart after fixing: Windows system patches typically require a server restart to take effect. Restart the server promptly after the fix is applied.
Limitations
Task Management: After a manual scan task is created, you must wait 15 minutes before you can manually click Stop in Task Management.
Scan duration: Scan completion time depends on the number of assets and the complexity of the vulnerabilities. A scan is typically completed within 30 minutes.
FAQ
Scan behavior and results
Why are multiple instances of the same vulnerability reported for a single server?
Application vulnerability detection targets specific running process instances. If a server runs multiple instances of a process with the same vulnerability, such as two identical Tomcat services on different ports, the system reports a separate vulnerability for each instance. If the vulnerable software is installed but its corresponding process is not running, the vulnerability is not detected.
Why do scan results for vulnerabilities like Fastjson sometimes vary?
The detection of such vulnerabilities depends on whether their components, such as JAR packages, are loaded into a "runtime" state during the scan. In a dynamic loading model, the system identifies the vulnerability only when business logic calls the vulnerable component. Therefore, scan results may differ at different times.
NoteTo improve detection accuracy for these types of vulnerabilities, we recommend that you run periodic or multiple scans.
Why do vulnerability records for a host remain on the console after its agent goes offline?
When an agent goes offline, its previously detected vulnerability records are retained on the console. However, these records automatically become stale, and you cannot act on them (for example, remediate, verify, or delete them). Vulnerabilities automatically become stale after the following periods:
ImportantAll data is permanently deleted only if the Security Center service expires and is not renewed within 7 days.
Linux Software Vulnerability and Windows System Vulnerability: 3 days.
Web-CMS Vulnerability: 7 days.
Application Vulnerability: 30 days.
Urgent Vulnerability: 90 days.
Will a manual scan affect the automatic scanning schedule?
Running a manual one-click scan does not affect the existing automatic scan schedule. The two operate independently. Automatic scans, such as system vulnerability scans that run daily or every two days, continue on their scheduled cycles regardless of manual scans.
Performance impact and security
Do vulnerability scans or POCs for urgent vulnerabilities affect business systems?
Typically, no. The POCs from Security Center send only one or two harmless probe requests and do not perform any attacks or destructive actions. However, in rare cases where an application handles unexpected input poorly, a minimal, unknown risk might exist.
Why can a vulnerability scan trigger an out-of-memory (OOM) error?
The Security Center agent has a default memory limit of 200 MB. If memory usage during a scan exceeds this limit, the system's OOM mechanism terminates the detection process (ALiSecCheck) to conserve resources.
NoteThis limit is typically managed by a control group (cgroup) named
aegisRtap0. You can find related OOM information in the dmesg logs.This is normal behavior and does not indicate a system-wide memory shortage. No user intervention is required.
This type of Out of Memory (OOM) error results from a cgroup memory limit, not a system-wide memory shortage.
Scan scope and capabilities
What does the vulnerability scan cover?
Scanning covers both the system and application layers:
System layer: Linux Software Vulnerability and Windows System Vulnerability.
ImportantWindows System Vulnerability scanning supports only monthly security update patches.
Application layer: Web-CMS Vulnerability, Application Vulnerability, and Urgent Vulnerability.
How do I view the list of vulnerabilities that Security Center can detect?
Log on to the Security Center console.
In the left-side navigation pane, choose Vulnerabilities > Vulnerabilities. In the overview section, find the Disclosed Vulnerabilities card.
Click the total number of vulnerabilities on the card to view a list of all detectable vulnerabilities and their details.
Is detection for specific vulnerabilities like Elasticsearch supported?
Yes. You can view detection results for services like Elasticsearch on the Application Vulnerability page in the console.
NoteThis feature is available only for Subscription (Enterprise and Ultimate editions) and Pay-as-you-go (Host Protection and Hosts and Container Protection). If your current edition does not support this feature, upgrade your service.